Authenticating Photos with Metadata

The admissibility of digital evidence bridges the rules of evidence and computer forensics. In the case of Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, photos were offered by a witness to show unlawful dumping by the Defendant. Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, No. 14-CV-1055 (NGG) (SMG), 2016 U.S. Dist. LEXIS 108357, at *10-11 (E.D.N.Y. Aug. 16, 2016).

The Court explained, “The standard for admissibility of photographs requires the witness to recognize and identify the object depicted and testify that the photograph is a fair representation of what it purports to portray.” Riverkeeper, at *10, citingZerega Ave. Realty Corp. v. Hornbeck Offshore Transp., LLC, 571 F.3d 206, 214 (2d Cir. 2009). The witness stated in his affidavit that he was both the photographer and the photos were accurate representations of what he observed on the date the photos were taken. The Court held the proffering party had offered an adequate foundation for the photos.

The Defendants challenged the authenticity of the photos, claiming that the photos were not taken on the day the photographer stated the photos were taken. Riverkeeper, at *10. The Court rejected the challenge, explaining that the defendants did not produce “any evidence calling into question the reliability of the metadata establishing the photographs’ creation dates.” Riverkeeper, at *10. The Court went on to say that the defendants “did not arrange for a forensic examination of the camera or the photographs, despite being given such an opportunity by the Court. The Court found that the defendants’ challenges to the authenticity of the photographs were not persuasive. Riverkeeper, at *10.

This case illustrates a number of interesting aspects of authenticating and admitting digital photos as evidence, as well as a number of potential pitfalls of circumventing the forensic examination process. Let’s break down the basic facts: The Plaintiff submitted a number of digital photos taken with an unknown camera, possibly a digital camera or from a smartphone, which is very common these days. If the evidence had only been produced in hard copy form, a number of arguments could have been made against admission, including the ability of the Defendant to acquire and examine the evidence in its native file format.

In this case, the Plaintiff provided the Court copies of the original electronic files, including metadata that was not specifically described. The court noted the filenames appeared to correspond to date and time stamps, due to the naming convention. Exhibit O was listed with the filename 20150914_110215.jpg. The question arose as to whether or not the filenames were created programmatically from the digital device or if they were renamed as they were copied to new media. If the latter is accurate, the file date and time stamps would also have been altered, giving rise to a potential spoliation claim.

Unfortunately, the Defendant claimed the photos may have been taken on other dates, asserting they were not authentic. Also, the Defendant did not take advantage of the opportunity to validate the Plaintiff’s claims by utilizing a digital forensic examination of the evidence, nor did he challenge any potential chain of custody issues. This weakened his position and resulted in his testimony that “he really didn’t know when the pictures were taken.”

Recognition and identification of evidence are necessary characteristics for admissibility. The photographer claimed in an affidavit that he took the photos and they were an accurate representation of what he witnessed. His testimony was consistent in this regard. Although the standard was met, recommended practices with digital evidence would include the following:

1. Digital evidence is acquired in a forensically sound or defensible manner. Forensically sound ensures that no alteration to the evidence occurs. This is usually accomplished with various hardware or software solutions. With civil matters, a “defensible” collection may be required. Defensible may be defined as a repeatable process that is documented.
2. The evidence is authenticated with a hash algorithm. Common standards are known as “Message Digest 5 (or MD5)” or “SHA-1.” These are mathematical values that may be considered “digital fingerprints.”
3. Evidence is stored on a “forensically-prepared” piece of media. Removable “thumb drives” or external drives may be used. Forensically-prepared means the drive has undergone a data “wiping” process to prevent any potential cross-contamination or comingling of evidence.
4. A Chain of Custody form is completed to specifically identify the evidence, and to track who handled the evidence.
5. A digital forensic examination is conducted on the evidence. The file properties and hash values are recorded. The examination may reveal any alteration based on date and time stamps, and file sizes and/or hash values (if an exemplar is available for review). The file metadata may also include Exchangeable Image File Format (or EXIF) data. This information provides additional details, such as the specific make and model of the device the image was created with, photography settings such as f-stop and ISO speeds, software and version number, compression, and the distance from the source, to name a few.

To conclude, technology, processes and people trained in digital evidence exist to ensure that the evidence at issue is handled and authenticated properly before presenting to the Court. Additionally, these skills may be used when suspicions arise as to the reliability of the evidence that is proffered.